The battle for cybersecurity: who is better — CISO or vCISO?

The role of the modern Chief Information Security Officer (CISO)

Evolution of cyber threats

With the ever-increasing automation of business processes, workflows, and paperwork, information is becoming the most valuable resource of commercial companies, public and government organizations. 

Cyber threats are evolving at an incredible rate, and the damage from cyber attacks can be enormous — from financial losses and reputational damage to legal consequences and business interruption. Cyber-physical attacks can even damage human health or cause environmental disasters.

Organizations face threats ranging from malware and DDoS attacks to data breaches and phishing. The importance of information security is becoming clear: it not only protects data and systems, but also ensures business continuity, customer trust and regulatory compliance.

In this article, we will describe the role of a modern Chief Information Security Officer. We will share our experience and insights on how you can learn this profession, grow such a manager in your company, or hire an effective incoming Chief Information Security Officer inexpensively.

The role of the CISO in securing a company’s data and infrastructure

Today, the Chief Information Security Officer (CISO) plays a central role in ensuring the protection of business processes, data and infrastructure in medium and large companies and organizations. However, even smaller organizations are increasingly starting to create at least part-time positions for the Chief Information Security Officer or Information Security Manager. His or her tasks go far beyond the technical security that a network engineer or security administrator can handle. The CISO is a strategic leader who sets security policy, manages risk, and ensures compliance.

The CISO acts as a liaison between IT, information security (if any), physical security, business units and senior management, as well as the company’s owners or shareholders. To effectively fulfill the CISO’s responsibilities, they need to understand the company’s business processes and strategic goals in order to harmoniously integrate security measures into the overall business strategy. 

Ultimately, security, especially risk management as its key process, is an economic discipline that deals with the concepts of probable damage, investment in risk mitigation measures, return on that investment, payback period, and so on. The CISO needs to be able to speak the language of business, money and economics in order to have a fruitful dialogue with the business leaders of his organization.

So what exactly does a CISO do to accomplish this? Let’s delve a little deeper into their day-to-day functions.

CISO responsibilities

CISO functions cover a wide range of tasks, including developing information security strategies, architectures, policies and procedures, threat analysis, risk management, developing and implementing employee security awareness programs, responding to major information security incidents and more. Consider some of these responsibilities.

Developing and implementing an information security strategy

One of the CISO’s primary functions is to develop and implement a comprehensive information security strategy for the organization. This strategy typically includes defining security standards, policies, and procedures to protect the organization’s information resources. Important steps in developing and implementing a security strategy include:

• high-level аnalyzis of the organization’s security posture;
• defining high-level security objectives for their further detailing;
• integration of the security strategy with the organization’s business strategy;
• developing and implementing security standards, policies, operating plans, procedures, checklists, and other security documents and records;
• defining approaches to evaluating the effectiveness of security measures and performing this evaluation;
• finally, adjusting current goals, plans, documents and records, initiating new cycles to support them, and so on ad infinitum.

Risk Management and Compliance

Effective risk management is one of the CISO’s most important responsibilities. It involves identifying information security risks, assessing and handling them. Without risk management, it is impossible or extremely difficult to optimize the information security budget and assess the feasibility of information security investments. 

Regulatory compliance is also a critical part of the CISO’s job. Depending on the industry and region, companies must comply with various standards and legal requirements such as GDPR, HIPAA, ISO/IEC 27001 and others. Along these lines, the CISO’s responsibilities include:

• ensuring that all company processes and systems are compliant with current regulatory requirements;
• conducting regular internal audits and participating in external audits to verify compliance;
• updating and adapting security policies and procedures in line with changes in legislation and standards;
• internal and external reporting and communications related to security compliance and breaches.

Incident Response and Investigations

Long before information security incidents occur, the CISO must determine how to respond to them, train employees and test their knowledge. His actions include:

• developing and implementing information security incident response plans;
• coordinating the actions of different teams when an information security incident is detected;
• participating in the restoration of operations of the company’s systems and processes affected by the incident;
• investigating incidents, including cooperating with law enforcement;
• communication, documentation, reporting, error management, post-incident measures, etc.

Other responsibilities of the director of information security

The human factor plays an important role in information security. Therefore, the CISO must organize regular training for employees on how to recognize and prevent vulnerabilities and cyber threats, cultivate and encourage “security champions” (informal security leaders), promote security methods and tools, and build a culture of security in the team. 

In addition to the above tasks, the CISO may perform or organize many other functions aimed at providing comprehensive protection for the company, such as:

• specific security audits, testing and assessment of individual departments, processes, servers, applications or other organizational assets;
• strategic identity and access management;
• strategic management of security event monitoring and threat intelligence;
• coordinating changes to the company’s IT infrastructure or software source code;
• selecting, implementing and administering information security software and hardware solutions;
• managing the security of supply chain and interactions with external parties;
• IT infrastructure physical security management (protection of servers, mobile devices, participation in implementation and support of video surveillance systems, physical access control), etc.

Thus, CISO responsibilities require not only deep technical knowledge, but also developed leadership skills, the ability to make strategic decisions and the skills to effectively coordinate teams of employees with different priorities, goals and interests. Let us elaborate on these knowledge and qualities.

CISO skills and qualifications

A Chief Information Security Officer must possess a wide range of skills and qualifications to effectively fulfill his or her responsibilities and protect the company from cyber threats. Let’s take a look at the basic core skills required to be successful in the CISO role. 

These skills are quite versatile, and therefore rarely combine in one person in their entirety. Nevertheless, if a CISO lacks these skills, he or she will need more time to make day-to-day decisions and will have a harder time earning credibility with both subordinates and IT professionals from other departments.

Technical skills	Description
Knowledge of network technologies	Understanding of networking and network protocols, analyzing network traffic, identifying suspicious activity, managing firewalls, network access control systems, etc.
Vulnerability detection skills	Knowledge of penetration testing and technical vulnerability assessment methods and tools. Ability to see weaknesses in architectures, business processes, operations, including undocumented ones.
Cryptology	Knowledge of cryptographic methods and algorithms such as AES, RSA, SHA to protect data in transmission and storage. Understanding the basics of cryptanalysis helps assess system security, build secure systems, perform incident investigations, etc.
Data protection	Ability to combine inventory, classification, authentication, authorization, encryption, monitoring and access control methods to protect valuable data.
Ability to work with large amounts of data	Analyze logs to reconstruct events. Ability to recover corrupted data. Knowledge of regular expressions. Ability to convert unstructured data to and from structured data. Understanding of database security and the basics of modern database management.
Knowledge of off-the-shelf security solutions	Understanding of software and hardware solutions from the following groups: cryptographic solutions, data security, threat detection, threat prevention, corrective and compensatory solutions, deceptive solutions, identity and access management, network access security, network security, endpoint management, application security and DevSecOps, vulnerability management, cloud security, security information and event management, risk management. Ability to benchmark solutions against multiple criteria and to select and implement optimal solutions for specific situations and future strategic development.
Understanding of software development, virtualization, DevOps technologies	Design, development and refinement of scripts and other software used in information security systems and processes. Designing secure systems. Using virtual machines for debugging, testing, analyzing and other security tasks.

Soft skills	Description
Team management	Building a team of security professionals, planning, organizing, and motivating employees. Coordinating the efforts of teams with different interests in solving complex problems affecting several parts of an organization or even several different organizations.
Communication, presentation and teaching skills	Effective communication with different levels of the organization, as well as with clients, contractors, partners, law enforcement agencies and the press. Ability to write, structure and present information in a way that makes it easy to digest. Ability to see issues from other perspectives, consider alternative views, negotiate, resolve conflicts, explain complex technical concepts in simple terms, “soften” communications and “smooth out the edges”. Ability to work in a multicultural environment. Ability to create and maintain a security culture, etc.
Analytical ability, project and crisis management skills, determination and responsibility	Analytical and synthesis skills, modeling and decomposition skills, abstract and critical thinking. Understanding of non-obvious and complex cause and effect relationships. Foreseeing of the consequences of events, actions and inactions. Independence, ability to act under conditions of partial uncertainty, tight deadlines and limited resources. Ability to take responsibility in a critical situation.
Other business skills	Learning, adaptability, positivity, intuition, entrepreneurial skills (risk-taking, ability to quickly assess risks using informal methods, ability to quickly assess cost-benefit ratios), etc.

Economic skills	Description
Quantitative risk assessment	Conducting quantitative risk assessments, analyzing the likelihood and consequences of cyber threats.
Return on investment in security	Arguing the necessity of security measures in terms of their economic feasibility, calculating ROSI (security ROI).

Business skills	Description
Understanding of technological processes and business processes	Ability to build security processes from scratch, document and visualize them, evaluate their effectiveness and optimize them. Ability to integrate security processes with other processes in the organization. Understanding the company’s business processes to find non-obvious vulnerabilities and threats, and to develop specific security measures that support those business processes.
Integrating security into the company’s strategy	Integrate strategy and security measures into the company’s overall business strategy to support business objectives. Evaluate the alignment of security strategy and measures with the overall company strategy.

Legal skills	Description
Knowledge of national and international legislation	Knowledge of relevant local and international regulations related to IT and security, ability to correctly interpret these regulations and turn them into corporate requirements. Knowledge of liability measures for breach of regulations. Analysis of contracts, etc.

The path to becoming a CISO

Gaining the skills and position of Chief Information Security Officer is a complex and multifaceted process that requires not only deep technical knowledge of information technology, but also the ability to respond quickly to threats, effectively manage risk, and a high degree of responsibility, prudence, foresight, communication, flexibility, adaptability, and other soft skills. Let’s look at the key steps on the path to this important position, including the ways of obtaining required skills and qualifications.

Education

Education plays a key role in preparing the future CISO. At the same time, university curricula are often 5–10 years behind modern technology and do not provide sufficient knowledge. Therefore, in order to obtain the necessary knowledge and skills, it is important to take specialized courses and obtain relevant certificates.

Some of the most recognized information security certifications best suited for the CISO role are CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). These certifications demonstrate a high level of competence in information security management and are recognized by the international community:

• ISC2 CISSP. The CISSP certification covers eight key information security domains, including risk management, asset security, security architecture and design, communications and network security, access management, security assessment and testing, operational security, and application security. To earn this certification, you must have a minimum of five years of information security experience and successfully pass a challenging exam.

• ISACA CISM. The CISM certification focuses on strategic and operational information security management, risk management, incident management, and security program development and management. This certification also requires at least 5 years of experience and successful completion of the exam.

Professional experience

Practical experience in IT and information security is an important part of becoming a full-fledged CISO. Experience in this area helps develop the necessary hard and soft skills, as well as a deeper understanding of various practical aspects of information security in specific infrastructures, industries and local cultures. Quite often, effective CISOs start their careers in IT and then switch to information security:

• Working in IT. Starting a career in IT provides the basic general technical knowledge and experience that information security jobs require. Working in roles such as system administrator, network engineer, or software developer helps you gain a basic general understanding of how IT infrastructure, IT services, and applications work.

• Information security jobs. Moving into roles directly related to information security provides more specialized knowledge and experience. Such roles may include working as an information security analyst, security engineer, risk manager, or incident investigator. These experiences help develop the specialized basic practical skills required of a CISO.

Ongoing training and professional development

The world of cybersecurity is constantly changing. Therefore, to become and continue to be a successful CISO, it is not enough to have a good education, certifications, and initial experience. You need to continually learn and upgrade your skills, as well as stay up-to-date with the news of the cybersecurity world and the industries of your clients or employers. 

International security certifications are immediately revoked if the holder fails to timely report and provide proof that they have spent a certain number of hours annually to support their professional education.

• Continuing education. Attending conferences, seminars, webinars and continuing education courses helps you stay up-to-date on the latest cybersecurity trends and threats. Some of the most well-known conferences include Black Hat, DEFCON, and RSA Conference.

• Professional communities and associations. Joining professional communities and associations such as (ISC)², ISACA, and SANS Institute provides access to resources, training materials, and networking opportunities that can be beneficial for career advancement.

• Analysis and research. Reading specialized literature, research articles, security surveys and reports helps you deepen your knowledge and stay up-to-date on current threats, vulnerabilities, new technologies and security techniques.

• Development of soft skills. As mentioned above, soft skills are critical for an effective security manager. Specialized training and lessons learned from real work situations help develop soft skills. 

The listed stages of hard and soft skills of a security manager show the ways of forming a competent and qualified CISO, ready to cope with modern challenges in the field of information security.

Thus, we see that cultivating such competencies requires many years of interdisciplinary training, dedicated practice, and hard work. Accordingly, hiring a ready-made CISO who has invested this labor and a significant part of their life into their development will cost a considerable amount of compensation for that specialist. Fortunately, there is a more favorable alternative.

Benefits of using vCISO

A virtual CISO is an increasingly popular solution for many companies looking to maintain a high level of security while optimizing costs. Essentially, this is an outsourced CISO working under a contract.

Let’s look at the key benefits of using vCISO and give examples of real cases demonstrating the cost-effectiveness and flexibility of this approach.

Economic efficiency

One of the most significant benefits of using vCISO is cost efficiency. Hiring a full-time CISO can be expensive, especially for small and medium-sized businesses.

The idea behind hiring a virtual CISO is the ability to gain access to highly skilled information security experts without having to pay a full salary rate, as well as the full compensation and benefits package of an in-house employee.

• Reduced salary and benefits costs. A full-time CISO typically requires a significant salary and benefits package, including health insurance, retirement contributions, and other compensation. Using a vCISO reduces these costs because the company only pays for services that are actually needed.

• Optimize training and development costs. In-house specialists need constant training and professional development, which also requires financial investments. A vCISO specialist already has the necessary knowledge and experience, which reduces the cost of training, certifications and annual support.

Flexibility and adaptability

Flexibility and adaptability is another important benefit of using a vCISO. Companies can engage such an expert only as required, which is especially useful in a rapidly changing cyber threat landscape.

• Access to a wide range of experts. Virtual CISOs often work at the head of a team made up of a diverse group of experts with a wide range of skills and knowledge. This allows the client company to receive advice and solutions on a wide variety of information security topics, from strategy to narrow technical issues.

• Scalability of services. vCISO services can be easily scaled up and down depending on a company’s needs. This means that a company can increase or decrease the scope of services depending on current challenges and budget constraints.

• Rapid adaptation to new requirements and threats. vCISO experts can respond quickly to new regulatory requirements and emerging threats, providing up-to-date recommendations and solutions.

• High availability. Unlike an in-house CISO, vCISO services can be available 24×7×365. Due to their interchangeability, vCISO specialists appear to the employer as never sleeping, sick or on vacation.

Case Examples

Let’s look at a couple of cases that demonstrate the benefits of using vCISO in practice.

A manufacturing company reduced incident damage by 51% and security costs by 42% thanks to CISO outsourcing

A medium-sized Polish manufacturing company faced the need to strengthen its information security and safety measures, including business continuity and protection from downtime, as a result of attacks by Russian hackers on the company’s IT and OT infrastructure. Hiring a full-time CISO would have been too expensive. The company decided to use the services of vCISO with ICS security specialization. 

As a result, the company reduced costs by 42% compared to hiring an in-house specialist. The company was able to implement state-of-the-art data and system security practices and significantly improve the security of its IT and OT infrastructure, thanks to the expertise of vCISO.

The number of IT and cyber-physical security incidents reported by the company during the year decreased by 44% and the damage caused by these incidents decreased by 51%.

A financial startup used vCISO’s service, quickly obtained a security certificate and, thanks to it, attracted significant investments

A young fintech startup from Sweden developing software in the field of payment systems needed top-notch security experts to protect its innovative solutions. Hiring an in-house CISO would have been too costly for the company at the startup stage. The startup decided to utilize the services of vCISO.

As a result, the startup gained access to world-class experts who helped it develop and implement effective security measures. In addition, using vCISO allowed the startup to optimize its budget and allocate more funds to its core business while maintaining a high level of security.

The vCISO manager helped the startup determine which international security standards it needed to comply with first in order to promote in the US and European markets, and implemented compliance with these standards. Investors highly appreciated the certificates of compliance with the security standards. The startup successfully passed the next round of investment and significantly scaled its capacity.

Conclusion

In today’s digital world, the role of the Chief Information Security Officer has become increasingly critical to protecting companies’ data and infrastructure. The CISO ensures the development and implementation of effective information security strategies and plans, risk management, incident response, and employee training, all of which combine to create a robust defense against cyber and cyber-physical threats.

Utilizing a virtual CISO offers significant benefits, especially for small and medium-sized enterprises. The vCISO service can reduce costs, increase flexibility and adaptability, and provide access to top-notch experts to help ensure a high level of security.

Business tips: how to choose the right CISO or vCISO

When selecting a CISO or vCISO, it’s important to consider several key factors:

1. Make sure the candidate has the necessary certifications and qualifications, such as CISSP or CISM, as well as relevant information security experience.

2. The CISO should have a good understanding of the company’s business processes and be able to integrate security measures into the company’s overall strategy. Ask the candidate to make specific recommendations for protecting one particular business process. To begin, assess the candidate’s sense of proportion and his or her approaches to mitigating the inherent inconveniences that come with any security measures.

3. Look for someone who has not only deep technical knowledge, but also the ability to effectively manage a team and communicate with management. Ask your human resources or psychologist, as well as your economist and lawyer, to assess the candidate’s business, economic and legal skills.

4. In a rapidly changing cyber threat landscape, the ability to adapt quickly to new demands and threats is important. Assign the candidate a non-standard test task, such as responding to a threat or incident from your company’s recent history or addressing a non-standard vulnerability that is not patched.

5. Consider using the vCISO service temporarily or permanently instead of hiring a CISO to optimize costs, especially if your business is in a growth phase or you are looking for cost efficiency.

For those considering using a vCISO, we recommend looking into our service. Our highly trained information security experts, meet all the requirements and guidelines listed above. 

Our vCISO will help you integrate security into your business strategy, create added value and additional competitive advantages for your company due to the new high level of security, as well as avoid significant financial losses from incidents, fines for security violations and excessive costs for salaries of in-house specialists.

Learn more about Experts as a Service and Virtual CISO with a free consultation. 

Get a 10% discount on vCISO service with the promo code “HXvCISO”.